Credit unions can play a role in preventing ‘supply chain’ cyber attacks

Last year, the global business community experienced a record number of data compromises. While many critical attacks occurred, a surprising number of organizations never had their security protocols directly breached. Instead, a growing number of third-party vendors, like accounting firms and managed service providers, were targeted—exposing the valuable data of their clients.

For credit unions, the risk of third-party breaches is multifaceted.

On the one hand, credit unions that outsource functions and share information with third-party vendors—from mobile banking providers to landscaping firms—are at risk.

On the other hand, the cyber risk facing business members threatens their overall financial health, which creates a separate set of risks for their credit unions.

What’s more, data stolen in third-party breaches often belongs to private individuals, 140 million of whom bank with credit unions. While cybercriminals use stolen data in many different ways, a consumer’s deposit account is a key destination.

Third party breaches more than double, pace not expected to slow

As we look to the months ahead, trendspotters expect several cybersecurity risks to threaten both the credit union and broader business landscape.

An analysis of U.S. data breaches in TransUnion’s 2023 Omnichannel Fraud Report showed a 145% increase in third-party breaches between 2020 and 2022. Not only did the number of breaches increase, the severity of those breaches also rose by 23%.

For cybercriminals, the logic behind third-party attacks makes sense. Smaller vendors often have less sophisticated cybersecurity resources, which requires less time and effort to hack. By getting into their systems, bad actors can gain access to large amounts of personal identity and confidential business information. It’s no wonder the tactic is expected to remain a criminal favorite throughout 2024.

Small-business members risk is two-fold

One sector that should be concerned about this trend is the micro and small business market. These are the mom-and-pop shop owners, small e-commerce sellers and boutique consulting firms who may be familiar faces at the local credit union. This sector has the most to lose from a third-party attack, both financially and reputationally. A single cyber attack could threaten the mere existence of such small operations, as well as their ability to repay business loans or maintain healthy deposit account balances.

Micro and small businesses are not only under direct attack from cybercriminals who want access to their clients’ data. Micro and small businesses are also under indirect attack. Because they rely on third-party vendors themselves to support functions like accounting, payroll, IT and administrative services, small businesses’ own risk of a data leak increases with every new vendor it hires.

Limited resources and misunderstanding the threat may also mean a small business is unprepared to manage through and recover from such cyber events. Many owners have a misplaced confidence that their business is too small to attack. This can lead small business owners to put cyber protections on the back burner and to neglect proper cybersecurity due diligence for the vendors they hire.

If your credit union works closely with small businesses, consider upping your cybersecurity awareness education strategy. Tailoring communications directly to small business members can help alert them to the threats posed by third-party breaches.

Multi-factor authentication bypass attacks complicate matters

To prevent cybercriminals from leveraging stolen data for account access, multi-factor authentication (MFA) has become fail-safe for organizations of all sizes. MFA requires users to receive an email, text or phone call before accessing a web application.

In the last year, however, we’ve witnessed the development of new cyber-attack strategies that exploit MFA weaknesses. As cybercriminals become more skilled at intercepting emails, SMS/text messages and even one-time passcodes, the risks of identity theft stemming from third-party breaches becomes even more acute.

Credit unions that rely on MFA for authenticating their members’ and partners’ access to CU technology should be considering that strategy in the context of rising third-party breaches. The ever-expanding database of stolen credentials, coupled with an increase in MFA bypass attacks, may necessitate the integration of new security layers, such as one-time passcodes and biometric authentication.

The expected increase in volume and severity of third-party breaches is introducing several new threats, both direct and indirect, to the credit union ecosystem. Staying up on the attack trends, talking openly and frequently about the threats to your business members and maintaining a culture of continuous improvement in your cyber strategy are three best practices for mitigating the risk.

To learn more about what’s on the cybersecurity horizon, download the ebook, “The Road to Data and Identity Security: Expected Risks and Threats in 2024.”